Fraud risk can lay dormant below the surface for years. This is often the case until someone in a control position recognizes a weakness in the control environment and exploits it for their gain. Right now, there are thousands of ongoing fraud schemes taking place in organizations that have gone unnoticed for years. Organizational resiliency has been put to the test as never before. Many companies have failed or sought bankruptcy protection to reorganize … For all these reasons, now is exactly the right time to perform a meaningful fraud risk assessment.
In a recent episode of the Fraud Eats Strategy podcast with Association of Certified Fraud Examiners (ACFE) CEO Bruce Dorris, we posed the question: why look for fraud now?
Fraud risk isn’t static, it is dynamic. Fraud risk has arguably never been greater than it is right now in the midst of the financial crisis. Efforts to uncover fraud need to be adapted to the ever-changing nature of fraud risk. According to recent research undertaken by the ACFE in the wake of COVID-19, anti-fraud experts are expecting every category of fraud to increase over the next year. Cyber, vendor schemes, kickbacks, inflated expenses, ghosts on the payroll, fictitious customers, diverted customer remittances, business email compromise – every category of fraud is expected to increase. Fraud is most often a crime of opportunity and the tectonic disruptions and layoffs caused by the pandemic and the financial crisis have created a chasm of opportunity.
It isn’t just commercial entities and individuals that are being targeted by fraudsters. The CARES Act stimulus package and its numerous assistance programs have already been the target of thousands of fraud schemes and will continue to be targeted until the money runs out. The ACFE publishes an incredibly valuable report every two years called the Report to the Nations. It is a detailed study of fraud investigations performed by ACFE members. The report frequently cites the figure that 5% of revenue is lost to fraud, waste and abuse every year. The CARES Act will ultimately distribute between $2.2 and $4 trillion in stimulus funds. Applying the 5% fraud loss figure to the $4 trillion in stimulus money suggests the possibility that a staggering $200 billion or more could be lost to fraud, waste and abuse.
As fraud practitioners, we always advise people about the need for robust anti-fraud controls and to slow things down to examine the potential for fraud risks that are nuanced to a given situation. In the current crisis, fraud prevention best practice had to be largely ignored because the financial need was so great and so immediate. The human toll was potentially so devastating that the reality was – here’s $2 trillion, fraud controls to follow. That is often the case in crises. Whether it’s a hurricane, an earthquake, or maybe a prior economic crisis, anti-fraud controls must be applied after the fact.
Financial pressure and opportunity are two major factors that drive people to commit fraud. There has never been more of an opportunity to commit fraud and the financial pressures being experienced by individuals and commercial entities are unlike most of us have experienced in our lifetimes.
Fraud is on the rise, wide swaths of the economy are dependent on government bailout programs to continue operations, many organizations are struggling financially, members of the workforce are experiencing unprecedented financial stress and unemployment is at an all-time high. These factors have created a perfect storm of fraud risk and fraudsters on doubling down on their efforts to take advantage of our precarious financial situation.
So, if you accept the premise that now IS exactly the right time to examine fraud risk, a fraud risk assessment is the logical starting point. Under normal circumstances, most anti-fraud practitioners will advise that fraud risk assessments should be performed at regular intervals of no more than 2 years or if there’s been a significant change to the business. COVID-19 is a significant change that should trigger fraud risk assessments across the globe.
At its core, a fraud risk assessment is a critical examination of the people, processes and systems in place to support business operations and how they can be negatively impacted by fraud. Fraud targets financial assets, intellectual property and tangible property. Organizations provide goods and services, tender invoices to their customers and process customer remittances. They consume goods and services and pay for them by check, wire, or ACH payment. They have employees and in some cases contractors or temporary staff who are paid salaries and hourly wages. Payroll systems withhold portions of paychecks to pay income tax, social security, make 401k contributions and pay benefits such as health insurance. Companies warehouse inventory and equipment, consume raw materials, manufacture finished product, purchase and utilize equipment and create and store intellectual property. Employees incur expenses for travel and entertainment and then seek reimbursement for these business expenses.
Each of these activities is vulnerable to fraud. There are internal controls in place intended to mitigate fraud and theft risks in each of these categories of activity. No system of internal controls, no matter how robust, can prevent all frauds from happening. Everyone’s organization is built upon trust. We are inherently trusting, and the act of employing people means entrusting them with responsibilities. Sadly, not everyone is deserving of our trust and no control environment can prevent people from violating it. A fraud risk assessment requires an examination of a cross-section of people, activities, systems and transactions.
Procurement is a particularly vulnerable area. Nearly 19% of all frauds are asset misappropriation and the biggest category of asset misappropriation fraud is vendor fraud. It is an incredibly easy type of fraud to commit and does not require much sophistication. Some vendors may be completely fraudulent set up by an employee or officer who may have the ability to approve invoices for payment. Other times, legitimate vendors may agree with a rogue employee to inflate their invoices and then share the proceeds of the overpayment with their coconspirator. These are just two fraud scenarios that could occur in one function. A meaningful fraud risk assessment considers a wide range of fraud scenarios across each function related to assets, disbursements, receipts, payroll and expenses – the controls in place intended to mitigate those frauds and may include sample testing of transactions to determine whether any frauds have been ongoing.
In many organizations, there are always multiple frauds that are ongoing. In others, they experience fraud episodically. While some frauds are small and may not result in long term harm, others can be devastating and lead to layoffs, bankruptcy and liquidation. Most frauds are discovered by accident. They never come at a good time for the organization, are costly and can have a terrible impact on morale and market reputation.
Given the state of our economy and the need for resiliency, organizations are encouraged to take a proactive stance to root out fraud. Doing so has numerous benefits. It raises fraud awareness across the organization which then sensitizes employees and officers on how to recognize and respond to fraud indicators. It puts dishonest employees and vendors on notice that the company is adopting a more aggressive stance on fraud. And most importantly, it can significantly reduce the negative consequences of fraud by strengthening fraud controls and interrupting frauds or corruption schemes that were ongoing leading to significantly reduced fraud losses.
To hear the full Fraud Eats Strategy podcast episode with ACFE CEO Bruce Dorris, click here:
Note: The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies or opinions